| Author |
Message |
sbartlett |
|
Post subject: Base not seeing sensor
 Posted: Jan 11, 2009 - 11:17 PM
|
|
Joined: Jan 01, 2009
Posts: 8
Status: Offline
|
|
The http://winids/base site works. I have searched on the issue I'm having now with no results that could be translated from any Linux forums or these forums. The Base web page displays fine but shows 0/1 sensors.Thus no collection of data from mysql.
I've tested snort: "snort -v -i2" and "snort -dev -i2"
This even reports Nmap scans to the portscan.log. So I know snort is working. I've gone through every setting I can think of. I've checked and rechecked every "link" in the files - php, base, snort. I can not for the life of me find the missing variable. Any help would be appreciated.
I do have one other question though. I had seen where other users had posted showing how snort is starting up and everything its doing. I can't find anything on how to do this. Such as how to make sure it's starting in -dev mode. That being sniffer mode I think. Would you be so kind as to enlighten me on how this is done. I mean if you don't mind helping me understand this. If it's a bother I'd rather just get Base to report. I don't want to ask to much and leave myself looking as though I'm lacking in abilities. |
_________________
Windows XP pro sp3
20g c:
20g d:
512Mb ram (will be increased)
Snort, MySql, IIS, Base
Non domain IDS system
Inline tap (plugged into switch for now)
|
| |
|
|
|
 |
|
Morpheus |
|
|
Post subject: RE: Base not seeing sensor
Posted: Jan 12, 2009 - 06:00 AM
|
|
Site Admin
Joined: Sep 04, 2003
East Coast - USA
Posts: 1462
Location: East Coast - USA
Status: Offline
|
|
Looks like a problem with BASE reaching the database. Make SURE you can log into mysql using the same credentials that BASE is using.
You can check the number of alerts in the database by logging into mysql, and at the mysql prompt type:
use snort;
SELECT count(*) FROM event;
The output should look something like:
count(*)
x
Note: In the above the x is the number of alerts in the database. |
_________________
Best regards,
Morpheus...
WINSNORT.com Management
|
| |
|
|
|
|
|
sbartlett |
|
|
Post subject:
Posted: Jan 12, 2009 - 08:09 AM
|
|
Joined: Jan 01, 2009
Posts: 8
Status: Offline
|
|
This is the result from logging into mysql as base.
C:\>mysql -u base -p
Enter password: *******
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.0.67-community-nt MySQL Community Edition (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> use snort;
Database changed
mysql> select count(*) from event;
+----------+
| count(*) |
+----------+
| 0 |
+----------+
1 row in set (0.20 sec)
mysql>
Nothing logged. At the very least I now know base can access the database as needed.I did the same with the snort user and it has access as needed too. So instead I have two issues. Snort is not logging to mysql and base is not seeing any sensors ( due to no sensors logging to mysql). |
_________________
Windows XP pro sp3
20g c:
20g d:
512Mb ram (will be increased)
Snort, MySql, IIS, Base
Non domain IDS system
Inline tap (plugged into switch for now)
|
| |
|
|
|
|
|
sbartlett |
|
|
Post subject:
Posted: Jan 12, 2009 - 09:49 AM
|
|
Joined: Jan 01, 2009
Posts: 8
Status: Offline
|
|
Doing some research I found that the something similar to the following is happening within the mysql database.
http://www.winsnort.com/index.php?name=PNphpBB2&file=viewtopic&p=1816
ERROR: d:\win-ids\snort\etc\snort.conf(682) => ' log/portscan.log' could not be opened.
Fatal Error, Quitting..
So I went back and made sure the permissions were correct by granting permissions in mysql again. I'm still receiving the error. I also checked the 'logfile { portscan.log }' and made sure it was correct.
I know the person who posted in the link above solved his problem. It's annoying when an individual does not post how they reconciled thier issue. It would make it much easier on you if they did. The questions would not have to be asked 10 times before someone typed it out so others could search. |
_________________
Windows XP pro sp3
20g c:
20g d:
512Mb ram (will be increased)
Snort, MySql, IIS, Base
Non domain IDS system
Inline tap (plugged into switch for now)
|
| |
|
|
|
|
|
Morpheus |
|
|
Post subject:
Posted: Jan 12, 2009 - 10:08 AM
|
|
Site Admin
Joined: Sep 04, 2003
East Coast - USA
Posts: 1462
Location: East Coast - USA
Status: Offline
|
|
I think you might have made an error while cutting and pasting in the snort.conf. Go back and start over and do it by hand. The sprecific line number you are having problems with is 682.
You should have caught this when checking if Snort was running as a service? |
_________________
Best regards,
Morpheus...
WINSNORT.com Management
|
| |
|
|
|
|
|
sbartlett |
|
|
Post subject:
Posted: Jan 13, 2009 - 09:09 AM
|
|
Joined: Jan 01, 2009
Posts: 8
Status: Offline
|
|
| Snort was starting with no problem as a service. I didnt have any issues with Snort as a service until I modified one of the snort.conf lines. The line I edited is no where close to the line number that is in the error. I changed it back and Snort runs fine. Still no logging to base. I'm not at home at the moment. I'm covered up at work. I'm also beginning a new install of Snort here at work. I'm going to see if I can correct what ever error I created. |
_________________
Windows XP pro sp3
20g c:
20g d:
512Mb ram (will be increased)
Snort, MySql, IIS, Base
Non domain IDS system
Inline tap (plugged into switch for now)
|
| |
|
|
|
|
|
Morpheus |
|
|
Post subject:
Posted: Feb 16, 2009 - 07:17 AM
|
|
Site Admin
Joined: Sep 04, 2003
East Coast - USA
Posts: 1462
Location: East Coast - USA
Status: Offline
|
|
| From a open command window type in your current run line and add a -T at the very end. |
_________________
Best regards,
Morpheus...
WINSNORT.com Management
|
| |
|
|
|
|
|
|
